SSL Fix for WSA

I am currently setting up a home lab for practicing Cisco Web Security Appliance (WSA). I am using EVE-NG with an image for the WSA called: Coeus-10-5-2-072-S100V, which means its version 10.5.

I have it setup in my lab and was able to access it through the GUI after setting up IP + default gateway on it. However, i got an SSL error and was unable to use the GUI.

The fix for it, is to enable TLSv1.2 on the WSA.

This fix can be applied using the CLI command “sslconfig”.

When you enter this mode, and type “version”, you get a chart on which versions of TLS/SSL is enabled for the different services:

 0[]> versions
 1
 2SSL/TLS versions may be enabled or disabled for the following services:
 3
 4        LDAPS - Secure LDAP Services (including Authentication, External
 5Authentication, SaaS SSO, Secure Mobility)
 6        Updater - Update Service
 7        WebUI - Appliance Management Web User Interface
 8        RADSEC - Secure RADSEC Services (including Authentication, External
 9Authentication)
10        SICAP - Secure ICAP Service
11        Proxy - Proxy Services (including HTTPS Proxy, Credential Encryption
12for Secure Client)
13
14Currently enabled SSL/TLS versions by service: (Y : Enabled, N : Disabled)
15
16         LDAPS  Updater  WebUI   RADSEC  SICAP   Proxy  
17SSLv3.0    N       N       N      N/A      N       N    
18TLSv1.0    Y       Y       Y      N/A      Y       Y    
19TLSv1.1    N       N       N       Y       Y       Y    
20TLSv1.2    N       N       N       Y       Y       Y

You should then select the Webui as the service you want to configure the setting for:

0Select the service for which to enable/disable SSL/TLS versions:
1
21. LDAPS
32. Updater
43. Proxy
54. RADSEC
65. SICAP
76. WebUI
87. All Services
9[]> 6

Then you select/eneable TLSv1.2:

0Currently enabled protocol(s) for WebUI are TLSv1.0.
1
2
3To change the setting for a specific protocol, select an option below:
4
51. SSLv3.0
62. TLSv1.0
73. TLSv1.1
84. TLSv1.2
9[]> 4

Then commit by selecting Yes to the question:

 0Currently enabled protocol(s) for WebUI are TLSv1.0.
 1
 2
 3To change the setting for a specific protocol, select an option below:
 4
 51. SSLv3.0
 62. TLSv1.0
 73. TLSv1.1
 84. TLSv1.2
 9[]> 4
10
11TLSv1.2 support for Appliance Management Web User Interface is currently
12disabled. Do you want to enable it? [N]> Y
13
14
15Currently enabled protocol(s) for WebUI are TLSv1.0, TLSv1.2.

Dont forget to issue the commit.

That should allow you to access the full GUI experience.

Hope that helps.

Take Care!!

/Kim

CCIE  CCIE Security  WSA